= DRAMBORA Notes = DRAMBORA is short for ''Digital Repository Audit Method Based on Risk Assessment''. The DRAMBORA creators are the [[http://www.dcc.ac.uk/|Digital Curation Centre]] (DCC) and [[http://www.digitalpreservationeurope.eu/|DigitalPreservationEurope]] (DPE). The notes are for the DRAMBORA guide version 1.0 ''Draft for Public Testing & Comment''. * [[#Summary|Executive Summary]] * [[#Introduction|Introduction]] * [[NotesOnDramboraPartIBackground| PART I: Background]] * [[#Process|PART II: Audit Process]] * [[#Conclusions|PART III: Conclusions]] * [[#app3|Appendix 3: Example Risk Register]] <> == Executive Summary == The DRAMBORA toolkit represents the latest developement in an effort to conceive criteria, means and methodologies for audit and certification of digital repositories. The RLG/NARA Task Force (TRAC) and the nestor working group have also developed criteria (check-lists) for audit and certification of trustworthy digital repositories. Drambora can be used in association with one or both of these check-lists. ##Note that the term ''digital repository'' has a broad range of uses. A digital repository in the OAIS (Open Archival Information System) world is a ##collection of digital material intended to survive in an understandable way for very long periods of time. The DRAMBORA toolkit aims to complement other ##repository audit and certification work by adressing the full range of repositories. <> == Introduction == * Digital curation is characterised as a process of transforming controllable and uncontrollable uncertainties into a framework of manageable risks. * The method seeks to determine whether the repository has made every effort to avoid and contain identified risks that might impede its ability to recieve, curate and provide access to authentic, understandable digital information. * Repositories are expected not only to identify and manage risks, but also to demonstrate their ability to do so. * This toolkit is meant for self-assessment and should help identify risks and measures. * The primary repository functions are receiving, keeping, documenting and disseminating authentic usable objects. * Risks should be divided into functional classes and internal and external risks. == PART I: Background == [[NotesOnDramboraPartIBackground| Notes on the background.]] <> == PART II: Audit Process == Audit Process Stages: * Stage 1: Identify organisational context * Stage 2: Document policy and regulatory framework * Stage 3: Identify activities, and their owners (see functional classes activity examples pages 71-73) * Stage 4: Identify risks (see generic list of risks pages 81-83) * Stage 5: Assess risks * Stage 6: Manage risks Functional classes: * Operational functional classes: * Acquisition & Ingest * Preservation & Storage * Metadata management * Access & dissemination * Support functional classes: * Organisation & management * Staffing * Financial management * Technical infrastructure & security [[NotesOnDramboraPartIIAuditProcess| More notes on the audit process.]] <> == PART III: Conclusions == Valuable results of the process are a documented self-awareness of fundamental objectives, a documented understanding of the risks and choice of means for risk management including strategies for avoidance, treatment, transfer and tolerance. ##[[Anchor(app2)]] ##==== Appendix 2: Self-audit Templates ==== ##Simple templates that can be used when doing the audit. <> == Appendix 3: Example Risk Register == The summary example list is on pages 81-83; this appendix contain the full examples. There are examples which focus on management, resource allocation, business reputation and staffing, but there are also a couple on community requirements, some on policies and procedures, some on legal liability (IPR is Intellectual Property Rights), a couple on 'repository success' and some on hardware, software, storage media, security, third-party services, recieved packages (for ingest), loss of confidentiality/availability/authenticity/integrity/reliability/provenance of information, backups/copies, preservation, metadata management and access and dissemination (78 in total). We should probably take a quick look at all of them.